Every week there seems to be news about some hacker that has accessed a server and stole a password file or that some phishing scheme is asking users to share their passwords. Since passwords are the gateway to your customers’ and employee’s personal information, as well as your intellectual property they are a sought after commodity that need to be protected.
There are various ways that hackers can obtain passwords. Social engineering and brute force attacks are just two approaches. These techniques work because the passwords in use are not strong or complex.
2012’s most common passwords
SplashData publishes an annual list of the top 25 most common passwords. For 2012, these are:
You can see how these may provide easy access to brute force attacks. Let’s see how these may be improved upon.
Some guidelines for strong passwords
Microsoft presents some guidelines for creating strong passwords. They recommend:
Length. Make your passwords long with eight or more characters.
Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing “and” to “&” or “to” to “2.”
Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.
Variety. Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking website.
You can even use the Microsoft strength checker to see how well you have done in creating a new password.
Strong passwords are not enough
There are policies that should be put in place to provide additional security in support of strong passwords. The Payment Card Industry Data Security Standard, PCI DSS, highlights many security practices specifying guidelines for users accessing cardholder data. Some things which may be applied to any user account include:
- Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use
- Change user passwords at least every 90 days.
- Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
- Verify user identity before performing password resets
- Limit repeated access attempts by locking out the user ID after not more than six attempts.
PCI DSS also contains some guidelines for account management which include:
- Assign all users a unique ID; do not allow sharing of user IDs or use of generic/group IDs
- Immediately revoke access for any terminated users.
- Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use.
How can a small or mid-size business enforce password policies
A first step for an SMB is to establish their account and password policies. Using the guidelines discussed in this post provides a good foundation for these requirements. Next, the policy needs to be enforced.
Many of the items discussed in this post can be implemented using the security settings found in a Microsoft environment. More information can be found on this subject on Microsoft’s Security TechCenter which contains security guidance for SMBs.